It seems like we hear about a new data breach on an almost daily basis.  This past week, we heard about two newsworthy data breaches that were caused/detected in some part by a Merger or Acquisition. 

The first worth mentioning is the Starwood/Marriott data breach which affected up to 500 million accounts.  It has been reported that an "unauthorized party" was able to copy and encrypt information from the Starwood guest systems.  There is also a possibility that some information may have been removed.  The breach was detected before Sept 10 but may date as far back as 2014. They believe that this breach was due to the fact that a company that they purchased was suffering a data breach. After the merger the hacker was then able to access the Starwood systems as well.  

The second is the Commonwealth Bank data breach.  It's still unclear how many accounts were affected and whether this was a real data breach or simply an "ethical data breach". Commonwealth Bank is selling off CommInsure (the insurance arm of Commonwealth Bank).  During the data segregation and separation they detected that some of their systems overlapped in unexpected ways. They stated that medical information that was supplied by customers to CommInsure may have been made available to other arms of the bank, including staff who decide whether or not to approve loan applications. This report comes after Commonwealth Bank already made the news in 2016 when they lost backup data for 15 years' worth of customer statements affecting 20 million accounts. 

Of course, details are still forthcoming on both of these stories. 

Whether you are on the buying side or the selling side, you need to ensure that you have good cyber security protocols in place. You should have:

  • Clearly defined data mapping and policies
  • Solid data compliance and protection programs
  • Trustworthy security detection procedures
  • Well formulated response plans should a breach be detected later
  • Continued education for employees on the changing world of cyber security

Clearly Defined Data Mapping and Policies

Using a tool like ER/Studio Data Architect, you can layout the data structure of an organization. You can then use this information to create data maps and data policies.  You can add in metadata information that makes it clearer to people who are trying to understand the data model. You can use ER/Studio Enterprise Team Edition to have deeper discussions about the data available. This can help detect and identify obsolete and redundant data. 

Solid Data Compliance and Protection Programs

Using a tool like SQL Compliance Manager, you can audit your databases to determine who is accessing your information. An audit review can detect unauthorized accounts that are taking action on your databases. In the case of a breach, you can review your audited information and state exactly what information was accessed and when. 

Trustworthy Security Detection Procedures

Using a tool like SQL Secure (which can be coupled with SQL Compliance Manager in the SQL Security Suite), you can audit server roles, users and principals and ensure that the right people have access to your systems.  You can check your servers for best practices on permissions checks. You can also audit server configurations and settings. 

Well Formulated Response Plans

Using a tool like ER/Studio Business Architect (which is available standalone or as part of ER/Studio Enterprise Team Edition), you can create Business Processes that are tied to your Data Objects to create visual processes that are easy for teams to follow and understand.  Not only does this work well to define data breach response plans, but it also helps to define better policies and procedures for companies that are merging together. High level conceptual models are available in this tool for data discussions that take place with business partners.

Continued Education

IDERA hosts continual Geek Syncs and Webinars to help you and your team to continue their education on data related topics. 

Data Breaches are an every day occurrence, but they don't have to affect your organization.  Whether you are proving good citizenship to a company who is purchasing you, you are protecting your company as it merges in a new entity, or you are simply trying to stay on top of your systems and data, IDERA has solutions available to help you.

Anonymous